With ISPs like these, who needs enemies?

Service providers aren't providing much of a service when it comes to protecting customers from DDOS attacks
Written by Andrew Donoghue, Contributor

Question: What have do the CTO of online betting exchange Betfair and the US Government's ex-Cyber-security chief Richard Clarke have in common? Answer: They both think ISPs should be doing more to combat Distributed Denial of Service (DDOS) attacks.

In a recent interview with ZDNet UK Clarke claimed that the number of networks of remotely hijacked Pcs --- so-called Botnets -- being used to deliver DDOS attacks has shot up from around 2000 to 30,000 in the last year. "I think we are going to see companies asking their ISPS to do more. A lot of denial-of-service attacks could be prevented if ISPs co-operated with each other," he said.

Betfair's CTO, David Yu, recently voted Daily Telegraph IT director of the year and a runner up in our very own CNET UK awards, has had first hand experience of the havoc these kind of attacks can wreak. Earlier this year, his and some other online gambling sites fell victim to a coordinated series of DDOS attacks - no laughing matter when your business relies on 24/7 uptime with around 300 transactions being processed per second. For companies like Betfair -- which operate in real-time, changing odds and taking bets right up to the point a horse race or football game ends -- downtime is lost money and lots of it.
Things got so bad that at the height of the attacks, all the sites being targeted opted to forget their competitive differences and concentrate on the best way to combat the common enemy: the hackers and criminals threatening to crash their sites if cash wasn't forthcoming. Yu claims this cross-company coordination was vital in combating the problem.

The idea of companies coming together to form a united defence makes sound business sense. Capitalism is about competition but cooperation between rivals can make sense if it benefits them all equally. But while the gambling sites showed a willingness to cooperate against the DDOS groups not everyone with a part to play in the attacks was as forthcoming.

Yu is insistent that ISPs are a vital link in the chain and their participation in battling the DDOS groups is vital. Despite being pretty happy with his ISP's participation -- Cable & Wireless -- Yu said service providers should be doing more to prevent DDOS attacks. One answer would be proactively filtering or blocking the flood of traffic at source.

But it seems that some ISPs don't share Yu's penchant for reciprocal altruism. When contacted by ZDNet UK reporters last week to gauge their reaction to calls for greater ISP participation in blocking DDOS attacks, BT and, surprisingly given Yu's earlier praises, Cable& Wireless, were pretty dismissive.

The most scathing comments came from John Regnault, head of security technology for BT who when asked if ISPs should be doing more said: "Why should ISPs do something?" "It's very much as if people want something for nothing. This noise is superfluous and silly." Nice.

Just the kind of caring sharing attitude we have come to expect from BT. "It is a question of what a customer is prepared to buy," Regnault added. "There are a number of BT customers who are very happy with the DDoS defence. Perhaps if you are not prepared to pay that, you would jump up and down and say it's the duty of the ISP to do it. Perhaps I would say that it's time to change ISP."

BT sees its role as a service provider as a purveyor of raw bits. It is capable of protecting you from DDOS attacks but only if you stump up extra cash to pay for it. 'We can protect you but it won't come cheap' -- the last time I heard an ultimatum like that it was coming from the cigar-chomping lips of Tony Soprano.

But surely Cable & Wireless must have a slightly more responsible attitude - -after all, Yu had singled them out for praise following Betfair's DDOS incidents earlier this year? Nope. Director of incident response for Cable and Wireless Richard Starnes pretty much concurred with BT's Regnault.

"We get put into this position that ISPs should do more to promote anti-spam and antivirus, We should do, but we're going to charge for it. We're a business and we have to support our shareholders and keep our employees in jobs. We're not going to do that by giving our services away for free." Inspiring attitudes from two of the UK's leading service providers.

ISPs don't want to take a proactive approach to security until they're forced. Why go to the trouble of eradicating a security threat for free when you can charge your customers a premium instead? Altruism is a dirty word to some corporations, they harp on about social responsibility when it suits them but at the end of the day, as Starnes points out their first duty is to the "shareholders". Much the same attitudes prevailed when the first moves towards Victorian sanitation roused the anger of those building city infrastructure. It's not our business what people do with their waste, said the builders: to see what happens when such ideas prevail, visit any shanty town. Is that what BT and C&W want?

It might seem tough to ask for better corporate citizenship when the only people really suffering from DDOS are gambling sites, but this is not a matter of personal morality. What hits a bookie today could hit the NHS online booking system tomorrow, and that could lose more than money.

The agency which should be leading the charge here is Ofcom -- the communications watchdog. At the moment, Ofcom is understandably reluctant to get involved in the messy, constantly evolving world of Internet regulation but that might be about to change. There is a clause in the Communications Act under which Ofcom operates that says the watchdog has some responsibilities when it comes to stopping abuse of electronic networks. Ofcom could use this clause to get ISPs to take responsibility for DDOS attacks and malware -- if it's serious about regulating the electronic environment for the benefit of all.

Editorial standards